Google has released a Stable Channel update to version 140.0.7339.185/.186 for Windows and Mac, and 140.0.7339.185 for Linux, addressing four high-severity security flaws. While all of these issues present serious risks, one stands out: CVE-2025-10585, a vulnerability in Chrome’s V8 JavaScript engine, is already being exploited in the wild.
CVE-2025-10585: Type Confusion in V8 (Zero-Day)
The most urgent of the fixes addresses a type confusion bug in V8, Chrome’s core JavaScript and WebAssembly engine. Reported by Google Threat Analysis Group (TAG), this vulnerability allows attackers to manipulate memory in ways that can lead to arbitrary code execution simply by luring users to malicious web pages. Google confirmed, “Google is aware that an exploit for CVE-2025-10585 exists in the wild,” underscoring the need for immediate patching.
CVE-2025-10500: Use-After-Free in Dawn
The second vulnerability, CVE-2025-10500, lies in Dawn, the graphics abstraction layer underpinning WebGPU. Reported by Giunash (Gyujeong Jin), this flaw is categorized as a use-after-free issue, which occurs when memory is improperly handled after being released. Such flaws can lead to browser crashes or, in the worst case, arbitrary code execution if exploited. Google awarded a $15,000 bounty for its discovery.
CVE-2025-10501: Use-After-Free in WebRTC
The third vulnerability, CVE-2025-10501, impacts WebRTC, the technology enabling real-time voice, video, and data sharing in browsers. Reported by sherkito, it also falls into the category of use-after-free flaws. Given WebRTC’s role in online communications, exploitation could allow attackers to compromise live sessions or crash communication services. Google issued a $10,000 reward for this report.
CVE-2025-10502: Heap Buffer Overflow in ANGLE
Finally, CVE-2025-10502 involves a heap buffer overflow in ANGLE, a graphics engine translation layer used to improve compatibility across graphics APIs like OpenGL and Direct3D. Reported by Google Big Sleep, the flaw could allow memory corruption and possible remote code execution. While details remain restricted, heap buffer overflows are often considered highly exploitable, especially in rendering contexts.
- Chrome Update Alert: Two High-Severity Flaws Patched – Update Now to Stay Safe!
- Actively Exploited Google Chrome Zero-Day (CVE-2025-6554) Added to CISA’s KEV Catalog, PoC Available
- Mozilla releases emergency update to fix two exploited zero-day vulnerabilities in Firefox
- Chrome Zero-Day: Exploit in the Wild and PoC Released
